Today begins the first full week of a new vulnerability information exchange between critical infrastructure companies...
and the Department of Homeland Security. DHS assures companies that their disclosures won't be made public, which had been a major stumbling block since the Protected Critical Infrastructure Information (PCII) program's establishment by the Critical Infrastructure Information Act of 2002.
"This Act provides for the establishment of a critical infrastructure information protection program that will exempt from disclosure to the general public any critical infrastructure information that the public may voluntarily provide to the department," according to the PCII program Web site. "The PCII program is designed to encourage private industry to share confidential, proprietary and sensitive business information about critical infrastructure with the government [to pursue] a more secure homeland, focusing primarily on analyzing and securing critical infrastructure and protected systems; developing risk assessments and vulnerabilities; and assisting with recovery."
Federal government requests for information on security breaches and weaknesses in critical infrastructure largely has fallen on deaf ears in the private sector, with industry reluctant to disclose details that could be made public through the Freedom of Information Act (FOIA) or other avenues.
"The plan is viable," said former White House cybersecurity advisor Howard Schmidt. "Under PCII you can get much more detailed information and determine whether an incident is general hacking activity or something that requires government action."
Critics in both the privacy and security arenas have voiced concerns that the law will allow big business to do "bad things with impunity," said Schmidt. "However, the vast majority want to work together to protect critical infrastructure -- it's not in anyone's best interest to use this law to cover up bad deeds, including their own."
PCII says the information may be used for many purposes, focusing primarily on analyzing and securing critical infrastructure and protected systems, risk and vulnerabilities assessments, and assisting with recovery as appropriate.
"I think it's a good faith effort by government to overcome a historical industry reluctance to report information," independent security consultant Richard Forno told SecurityFocus.
Materials may be submitted to the PCII program office (listed at the URL above) by mail or by courier.